Analysis

  • max time kernel
    120s
  • max time network
    94s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/08/2024, 05:21

General

  • Target

    63846f0545e6163d027a52bd567bb6d0N.exe

  • Size

    2.6MB

  • MD5

    63846f0545e6163d027a52bd567bb6d0

  • SHA1

    e6946c7f988f31b4efb315246147b007ea3675d6

  • SHA256

    3033861d0602d6984533979d09984a5c7ae4ff33afcbd45923bd6fb66900551d

  • SHA512

    ce3896e7ec819730a6722efac618394cb28888bbd5e4bfb143f15af197b88559a6f016604b3eacdd0d4c982bf956b7358dc6c33fdd5fa58433bab4ba71c67d84

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBbB/bS:sxX7QnxrloE5dpUpgb

Malware Config

Signatures

  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\63846f0545e6163d027a52bd567bb6d0N.exe
    "C:\Users\Admin\AppData\Local\Temp\63846f0545e6163d027a52bd567bb6d0N.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2468
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:4024
    • C:\SysDrv4C\devbodsys.exe
      C:\SysDrv4C\devbodsys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2216

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\GalaxYR\optixec.exe

    Filesize

    2.6MB

    MD5

    18c93fdfa0e52d91cd784ffc73dff385

    SHA1

    942f7f923689573a7c2625aefa9c0226ee06681a

    SHA256

    e63336f21ffada8282b957c97719235e10d1bd0e2e848f40f5286ce066c8693d

    SHA512

    6b0079c82a6658a8a229fa26989b5021b7e84e23b712e0cc3a996d39c97c43fdbc59cd6bc4e95e00f476d4be3b6d0b368a357da58af7ddbfeffbe6ee078be7d6

  • C:\GalaxYR\optixec.exe

    Filesize

    1.6MB

    MD5

    5696f8cb7b3197c901ec9e7d36c1037c

    SHA1

    147d3c98835baf107d251c46319b17d864a5d9fb

    SHA256

    faec6758106bd7e3f106395953741cb0e1128a72a52543bcbb665a4880450bbb

    SHA512

    0664f9e9b980457ff15835fbb66e8331c37b9d3229ddd077f3653ebcb3e1772ede12d7c262c612e49877cb7cd2149ad48aafae3294418229ecbe0a9eb11c36f6

  • C:\SysDrv4C\devbodsys.exe

    Filesize

    1.2MB

    MD5

    a8a3f5c8a306408a9d69bd140db67622

    SHA1

    35e61a4760dc153dd09e6db1d3b402dce89b5e0d

    SHA256

    08e09b083fb7e40398408233997c98f5eda8c4186687f2cd081aef00c41d3465

    SHA512

    2cce7bff0c0dcfa2e542694ac0cbf3f274087715615a645ce759c99280cc84c4976b5ca8a04398f4a69eecc2398ee0da8516433c625b52715df34a5032b3e1b6

  • C:\SysDrv4C\devbodsys.exe

    Filesize

    2.6MB

    MD5

    2e0d4671c32129f0e30a54e4b7bfa82c

    SHA1

    c9ef00e52c466b5dc1a4f7474dd04d5ed57acca8

    SHA256

    3cd41be7239512569b943a4f48f6f11a3881d16ae31e05810c8d197cb7a80dba

    SHA512

    a5b462275dce4eac1aeffde167081817dc2e47593cf02918ba999b251abde3be0e4abf694e2bfcfc2558b53d67d2dc9d7ac2f3ab6b695e263e85e5e621c39ae7

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    207B

    MD5

    105ec10af36c5267ff02644539574de7

    SHA1

    005f46ee922759764f46faa06897c06ffc9a9247

    SHA256

    6b56408b7ac9781505f89ced320ed936ef498e5917147b20d703a8f7e8993bfe

    SHA512

    06ba3d4d181871c71511435ae2fefc60be2ed589750b4062e1cc3ed9f57cdf4f1747ee6f129749f499bf9e377a6721d3cb40afa133a51e24b685c96dfa8b5283

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    175B

    MD5

    ac6e02802f010c3c095223a42c014d02

    SHA1

    7bcf3c01f59f123b4619202400721a88e1725e93

    SHA256

    b71f8e015b90cefaf2dbcbca4502485cd90d3afcbb5e104f05e01818648375ca

    SHA512

    0b8db0f952f293b53cf5372804301c3d120477a3e90828265eb4f0f9464902ac8de787ed8390d9e149dfc3963c0b73e48ec62d3d718e5a3693b5d2b4dd69a5c9

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe

    Filesize

    2.6MB

    MD5

    1c93eb8f3eb4e6577a3cf2a94afb2bbd

    SHA1

    331f723e9552839666c9e8402ce04ee7fca8064f

    SHA256

    bac1e20f31ddc80c54752ed6e952378db3f908a0bfd5834f12a0b2de98957032

    SHA512

    54c364d7ca149be98f3c1892869dbbb65b165ba16c5dd0af21b20b984e9552d74efe77d4a59d6c990b682adb8ac13427cc8c3dedd1a4dab57e47838b3da08669